# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

## GitLab Mattermost

upstream gitlab_mattermost {
  server <%= @service_address %>:<%= @service_port %>;
}

<% if @https && @redirect_http_to_https %>
server { ## HTTPS redirect server
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @redirect_http_to_https_port %><% if @proxy_protocol %> proxy_protocol<% end %>;
<% end %>

  server_name <%= @fqdn %>;
  server_tokens off;

  <% if @letsencrypt_enable %>
  location /.well-known/acme-challenge/ {
    root <%= @dir %>/www/;
  }
  <% end %>

  location / {
    return 301 https://<%= @fqdn %>:<%= @port %>$request_uri;
  }

  access_log  <%= @log_directory %>/gitlab_mattermost_access.log gitlab_mattermost_access;
  error_log   <%= @log_directory %>/gitlab_mattermost_error.log <%= @error_log_level%>;
} ## end HTTPS redirect server
<% end %>

server { ## HTTPS server
<% @listen_addresses.each do |listen_address| %>
  listen <%= listen_address %>:<%= @listen_port %><% if @proxy_protocol %> proxy_protocol<% end %><% if @https %> ssl<% if @http2_enabled %> http2<% end %><% end %>;
<% end %>
  server_name <%= @fqdn %>;
  server_tokens off;     # don't show the version number, a security best practice
  client_max_body_size <%= @client_max_body_size %>;

  <% if @https %>
  ssl_certificate <%= @ssl_certificate %>;
  ssl_certificate_key <%= @ssl_certificate_key %>;
  <% if @ssl_client_certificate %>
  ssl_client_certificate <%= @ssl_client_certificate%>;
  <% end %>
  <% if @ssl_verify_client %>
  ssl_verify_client <%= @ssl_verify_client%>;
  ssl_verify_depth <%= @ssl_verify_depth%>;
  <% end %>

  ssl_ciphers '<%= @ssl_ciphers %>';
  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
  ssl_protocols  <%= @ssl_protocols %>;
  ssl_session_cache  <%= @ssl_session_cache %>;
  ssl_session_timeout  <%= @ssl_session_timeout %>;
  <% if @ssl_dhparam %>
  ssl_dhparam <%= @ssl_dhparam %>;
  <% end %>

  <% if @ssl_password_file %>
  ssl_password_file '<%= @ssl_password_file %>';
  <% end %>
  <% end %>

  ## Real IP Module Config
  ## http://nginx.org/en/docs/http/ngx_http_realip_module.html
  <% if @real_ip_header %>
  real_ip_header <%= @real_ip_header %>;
  <% end %>
  <% if @real_ip_recursive %>
  real_ip_recursive <%= @real_ip_recursive %>;
  <% end %>
  <% @real_ip_trusted_addresses.each do |trusted_address| %>
  set_real_ip_from <%= trusted_address %>;
  <% end %>

  ## HSTS Config
  ## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  <% unless @hsts_max_age.nil? || @hsts_max_age <= 0 %>
  add_header Strict-Transport-Security "max-age=<%= @hsts_max_age -%>
<% if @hsts_include_subdomains %>; includeSubdomains<% end %>";
  <% end %>

  <% if @referrer_policy %>
  add_header Referrer-Policy <%= @referrer_policy %>;
  <% end %>

  access_log  <%= @log_directory %>/gitlab_mattermost_access.log gitlab_mattermost_access;
  error_log   <%= @log_directory %>/gitlab_mattermost_error.log <%= @error_log_level%>;

  location ~ /api/v[0-9]+/(users/)?websocket$ {
    client_max_body_size <%= @client_max_body_size %>;

    <% @proxy_set_headers.each do |header| %>
    <% next if header[1].nil? %>
    proxy_set_header <%= header[0] %> <%= header[1] %>;
    <% end %>

    proxy_buffers 256 16k;
    proxy_buffer_size 16k;

    client_body_timeout 60;
    send_timeout 300;
    lingering_timeout 5;
    proxy_connect_timeout 90;
    proxy_send_timeout 300;
    proxy_read_timeout <%= @proxy_read_timeout %>;
    proxy_http_version 1.1;

    proxy_pass http://gitlab_mattermost;
  }

  location ~ /plugins/focalboard/ws/* {
    client_max_body_size <%= @client_max_body_size %>;

    <% @proxy_set_headers.each do |header| %>
    <% next if header[1].nil? %>
    proxy_set_header <%= header[0] %> <%= header[1] %>;
    <% end %>

    proxy_buffers 256 16k;
    proxy_buffer_size 16k;

    client_body_timeout 60;
    send_timeout 300;
    lingering_timeout 5;
    proxy_connect_timeout 90;
    proxy_send_timeout 300;
    proxy_read_timeout <%= @proxy_read_timeout %>;
    proxy_http_version 1.1;

    proxy_pass http://gitlab_mattermost;
  }

  <% if @letsencrypt_enable %>
  location /.well-known/acme-challenge/ {
    root <%= @dir %>/www/;
  }
  <% end %>

  location / {
    ## If you use HTTPS make sure you disable gzip compression
    ## to be safe against BREACH attack.
    <%= 'gzip off;' if @https %>

    proxy_read_timeout      <%= @proxy_read_timeout %>;
    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
    proxy_redirect          off;
    <% if @proxy_custom_buffer_size -%>
      proxy_buffers 8 <%= @proxy_custom_buffer_size %>;
      proxy_buffer_size <%= @proxy_custom_buffer_size %>;
    <% end -%>

    <% @proxy_set_headers.each do |header| %>
    <% next if header[1].nil? %>
    proxy_set_header <%= header[0] %> <%= header[1] %>;
    <% end %>
    proxy_http_version 1.1;

    proxy_pass http://gitlab_mattermost;
  }

  <%= @custom_gitlab_mattermost_server_config %>
} ## end HTTPS server
